ID. Date of interview 
date 44/02/20 


ID. Time interview started 
start 43:10:03 


ID.end Completion date of interview 
Date 44/02/20 


ID.end Time interview ended 
14:47:39 


ID. Duration of interview 
time 97.60 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

O) No 

© Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Could more information be provided on steps which would be considered reasonable to take to confirm 
ID? e.g. would a request from a known email / social media account be suffice, or would we need to seek 
additional confirmation of identity. Where a third party makes a request, but we cannot confirm they have 
authority to act on behalf of the data subject, should the SAR still be completed and the results sent to 
the data subject, not the third party? When providing results, are we permitted to use a secure email 
service in order to ensure safe transmission of information. If this cannot be accessed by the client, at 
what point should less secure methods be used? Note this would not be where they are required to 
purchase a software or create an account. Does the time limit start from the point the scope is clarified? 
there are lots of requests where data subjects state they "want a copy of information" and it takes time to 
confirm with the data subject what information they are requesting. When making reasonable 
adjustments, are we permitted to ask for evidence this is necessary where we are unsure (e.g. evidence 
from a medical professional that results must be provided in a specific format) If the same information is 
stored in different systems, are we required to provide each copy/version of this? With email searches, is 
there any advice on what would be considered excessive, e.g. in terms of number of emails and therefore 
enabling organisations to narrow down scope. This could be done either with the data subject or at DPO 
discretion - e.g. discounting large group emails. Refusing a request - If the reason for not providing 
information is because a medical professional deems it inappropriate or they don't have capacity, are we 
still required to formally document this? This may cause more distress to an already vulnerable individual. 
3rd parties - should staff be considered on the record, or should their personal details (name job title) be 
taken out? exemptions for providing harm - serious harm or distress. Who can make this decision (is it 
only medical professionals, or would this include health and social care? Would this only prevent 
disclosure of that specific type of information, or would it cover a clients record in total due to distress it 


eniild eaiica? 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


More detail on where scope can be clarified, and what would be considered excessive. Remote access - 
if the data subject already has access to the information, and them downloading a copy would be the 
same format as if we were to provide this, would this be considered providing a copy? Some indication 
on the number of emails in an email search which would be considered disproportionate. 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


More examples on scope (e.g. work phones, and whether need to provide copies of texts if the 
information is similarly held somewhere else. Securely sending information, and what would be 
reasonable to expect of data subjects, e.g. having a password generated and sent to the individual. More 
examples on SAR requests from staff and what to disclose. Are we required to disclose emails between a 
data subjects line manager's? Section on confidentiality suggests not. Some indication on the number of 
emails in an email search which would be considered disproportionate. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


We had someone request a copy of emails which contained their initials. Their initials 
spelt a common two letter word therefore the number of results was drastically 
increased and many of these were not relevant. We also had someone request a 
copy of emails which referred to their first name only. Their first name was also the 
name of a month, and again this massively increased the number of results as it 
returned any emails sent within that month. An indication of what could be 
considered an excessive number of emails to review would be very beneficial. We 
also receive requests from existing staff members for all of their information. They 
have access to lots of this already, and it would be returned in the same format as 


they downloaded it. Some guidance on whether we would need to reproduce this 
would be helpful. 


Q5 


Q6 


Q7 


On a scale of 1-5 how useful is the draft guidance? 


3 es 
1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


O O © O O 


Why have you given this score? 


It would be good to have more examples of what would be considered malicious or 
excessive. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


O © O 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Are you answering as: 


_) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 

C) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 


What sector are you from: 
Charity 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(_ ) ICO Facebook account 
(_) ICO LinkedIn account 
C) ICO website 
©) ICO newsletter 
( ) ICO staff member 
(_) Colleague 
(_) Personal/work Twitter account 
(_) Personal/work Facebook account 
(_) Personal/work LinkedIn account 
(_) Other 
If other please specify: 


